WSpot, a Brazilian software provider that helps businesses manage their on-premise Wi-Fi networks and routers, leaked the personally identifiable information of more than 2.5 million Brazilian users through an unsecured AWS S3 bucket.
The breach came to light after security researchers at SafetyDetectives discovered a massive Amazon Web Services (AWS) S3 bucket owned and managed by WSpot. The S3 bucket server was open to public access as it was left without any authentication procedures in place.
The researchers discovered the unprotected AWS S3 bucket on September 2 and informed WSpot about the exposure on September 7, following which the server was quickly secured. According to SafetyDetectives, the bucket stored the personally identifiable information of more than 2.5 million Brazilian citizens, though it is not known if it was accessed by malicious actors.
The leaked data of 2.5 million users included personally identifiable information like their full names, dates of birth, email addresses, phone numbers, gender, complete addresses with postcode, and CPF numbers (individual taxpayer numbers).
As WSpot provides specialised software to help businesses secure and manage their on-premise Wi-Fi networks and routers, the leaked data exposed the data of customers of many of the company’s clients. Wspot reportedly has various high-profile clients including health insurance operator Unimed, Sicredi, and Pizza Hut.
When analyzing the unprotected S3 bucket, researchers found that it leaked 84MB of files containing 280,000 SMS log entries. These logs leaked the email addresses and user passwords of people who connected to each WSpot client’s WiFi.
The researchers also came across 550MB of guest reports in “.csv” format that contained an estimated 2.5 million log entries. The guest reports, visible to anyone with a link to the bucket, exposed full names, dates of birth, email addresses, phone numbers, gender, complete addresses with postcode, and CPF numbers (individual taxpayer numbers). SafetyDetectives said this information could serve as a goldmine for malicious actors.
Commenting on the massive leak of personal information of Brazilian citizens, Javvad Malik, lead security awareness advocate at KnowBe4, told Teiss, “This is a huge breach and not only has the common error of a publicly exposed S3 bucket, but also because of the amount and nature of data that was stored.
“Organisations need to take into consideration the responsibility that comes with collecting, storing, and processing information. It is no longer enough to have a separate security team to implement a few controls and call it a day. Rather security responsibility should flow through the whole organisation, whether it be the person designing data flows, deciding on which data is captured, how it’s stored, and how the cloud platform is configured.
“Until organisations foster a culture of security, we will continue to unfortunately see breaches like this continue to occur and impact organisations and individuals,” he added.